Bug 1302905 - RFE audit logging improvement
RFE audit logging improvement
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Documentation (Show other bugs)
10.0
Unspecified Unspecified
unspecified Severity unspecified
: DS10.1
: ---
Assigned To: Marc Muehlfeld
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-28 18:16 EST by wibrown@redhat.com
Modified: 2016-11-21 08:43 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-21 08:43:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wibrown@redhat.com 2016-01-28 18:16:58 EST
Suggestions for improvement: 

We added a new logging mechanism to ds which is able to log failed attempts to alter / modify objects in a directory. 

A new set of configuration values is added. These match the nsslapd-audit config items in function, but they control the auditfail log.

'nsslapd-auditfaillog-maxlogsize'
'nsslapd-auditfaillog-logrotationsync-enabled'
'nsslapd-auditfaillog-logrotationsynchour'
'nsslapd-auditfaillog-logrotationtime'
'nsslapd-auditfaillog-logrotationtimeunit'
'nsslapd-auditfaillog-logmaxdiskspace'
'nsslapd-auditfaillog-logminfreediskspace'
'nsslapd-auditfaillog-logexpirationtime'
'nsslapd-auditfaillog-logexpirationtimeunit'
'nsslapd-auditfaillog-logging-enabled'
'nsslapd-auditfaillog-logging-hide-unhashed-pw'
'nsslapd-auditfaillog'
'nsslapd-auditfaillog-list'

If the nsslapd-auditfaillog is *not* given, the fail events are logged into the audit log as well.

Audit events now show the operation return code and reason for failure / success.

If a plugin has the attribute in it's configuration

nsslapd-logAccess
nsslapd-logAudit

The events generated by the plugin will go to the access and audit logs respectively. If auditfail is enabled, failures will be logged too.

Additionally, the plugins now respect the global values:

nsslapd-plugin-logging

Which will cause all plugins to log their access and audit events.
Comment 1 Petr Bokoc 2016-05-31 07:02:08 EDT
Hi Will, I was comparing the list of attributes you provided above with the existing list of 'nsslapd-auditlog*' parameters in the Configuration, Command and File Reference, and I found some discrepancies. Can you please take a look and let me know if this is expected or if we're missing some attributes?

The following attributes are available for auditlog, but do not have an equivalent in the list you provided for auditfaillog:

* nsslapd-auditlog-logrotationsyncmin
* nsslapd-auditlog-maxlogsperdir
* nsslapd-auditlog-mode

The following attribute is in your list for auditfaillog, but does not have an equivalent auditlog attribute:

* nsslapd-auditfaillog-logging-hide-unhashed-pw

The following attribute is documented for nsslapd-accesslog but not auditlog or auditfaillog or errorlog - although I suspect that might be OK:

* nsslapd-accesslog-logbuffering

Thanks!
Comment 2 wibrown@redhat.com 2016-06-13 20:23:39 EDT
ldap/servers/slapd/slap.h:1941:#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE	"nsslapd-auditfaillog-mode"

./ldap/servers/slapd/libglobs.c:1130:	{CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE, NULL,
./ldap/servers/slapd/slap.h:1941:#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE	"nsslapd-auditfaillog-mode"

ldap/servers/slapd/slap.h:1945:#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-auditfaillog-maxlogsperdir"

ldap/servers/slapd/libglobs.c:1162:	{CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
ldap/servers/slapd/slap.h:1945:#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-auditfaillog-maxlogsperdir"

ldap/servers/slapd/slap.h:1960:#define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin"

ldap/servers/slapd/libglobs.c:297:	{CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
ldap/servers/slapd/slap.h:1960:#define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin"


Appears to all be there. But it's missing from the 01core389.ldif. Saying this, nsslapd-auditlog-mode and co. are missing from the 389core.ldif too.


What made you think they were missing? They just aren't part of the template dse.ldif, but if you add them they will work ...
Comment 5 Marc Muehlfeld 2016-11-21 08:43:19 EST
The update for Directory Server 10.1 is now available on the Customer Portal.

Note You need to log in before you can comment on or make changes to this bug.